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METHODS AND SYSTEMS FOR EFFICIENT CHAINED CERTIFICATION 
Field of The Invention 

The present invention relates to systems and methods for efficiently chaining a 
certification in a PKI (Public Key Infrastructure), from a Certifying Authority to end 
users, using operations over elliptic curves and modular exponentiations over finite 
fields or groups. 

Background of the Invention 

The validity of public key cryptographic applications is based on the assumption that 
the public key Yi submitted by a user, termed Useri, is valid. That is, Yi is assumed to 
be undeniably associated with the identification details, termed IDi, of Useri. Verifying 
the validity of Yi is commonly done, by the recipient, by referring to a certificate, which 
is submitted by Useri together with Yi and IDi. 

Said certificate consists of the signature of a CA (Certifying Authority) on the 
association between Yi and IDi. In order to generate said certificate, said CA uses his 
private key, according to the concept of public key cryptography. 

Upon receiving Yi and IDi and said certificate, the recipient verifies the correct 
association between Yi and IDi by referring to said certificate and effecting a signature 
verification procedure, using the public key of said CA. 

When using digital signature procedures based on the discrete logarithm problem, said 
signature verification procedure is based on effecting two modular exponentiation 
operations as clear to persons skilled in the art. 

In a 'chained certification', a Useri attests the association between the public key and 
the identification details of another user, termed User(i+i). User(i+i) attests the 
association between the public key and the identification details of User(i+2), etc. (The 



11002/00 

-2- 

index i refers to the hierarchical level, in a certification chain, of a user, with respect to 
the CA, who acts as Usero.) 

Using customary certification approaches, said Useri, starting with the CA who acts as 
Usero, signs the association between the public key and the identification details of said 
User(i+i) by generating an explicit signature, generating the certificate Cert(i+i). Using 
signature methods which are based on the discrete logarithm problem, a certificate Certi 
is a pair {ci,Bi}, where ci is a scalar and Bi is a group-element over which the discrete 
logarithm problem applies. 

To verify the correct association between said public key of said User(i+i) and said 
identification details of said User(i+i), a verifier needs to know the public keys and the 
identification details of all users from Useri to User(i+i). The verifier further needs to 
know the public key of the CA (as was said, the CA acts as Usero) and all certificates 
from Certi to Cert(i+i). Based on said values, the verifier effects i+1 signature 
verification procedures, where each such signature verification requires two modular 
exponentiations. Altogether, said verifier performs 2(H-1) exponentiation operations. 

The art has so far failed to provide means by which chained certificate verification can 
be effectively implemented by saving mathematical operations, permitting to use less 
computational operations in effecting certification verification. 

It is therefore an object of the present invention to provide a method by which chained 
certificate verification can be carried out with high efficiency. 

Other objects of the invention will become apparent as the description proceeds. 
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SUMMARY OF THE INVENTION 

The invention relates to a method for effecting a chained key-issuing process over a 
finite group of points in which the discrete logarithm problem applies, wherein an 
issuing user (Useri), who possesses an issuing user public value (Ui) and an issuing user 
private key (xi), provides to a successor user (User(i+i)) a successor user public value 
(U(i+i)) and a successor user private key (x(B-i)), and where said issuing user, except for 
the Certifying Authority (CA), was himself a successor user in a preceding step in the 
chained key-issuing process, and where said Certifying Authority acts as the first 
issuing user in the chained key-issuing process, comprising the steps of: 

(1) permitting said Certifying Authority to select a generating group-point (G) 
whose exponentiations to various powers generate various group-points and a 
converting mathematical operation (H) which converts several input values into a 
scalar; 

(2) permitting said Certifying Authority to posses a Certifying Authority private 
key (xo); 

(3) permitting said Certifying Authority to posses a Certifying Authority public 
value (Uo), obtained by exponentiating said generating group-point to the power 
of said Certifying Authority private key (Uo = xo*G); 

(4) permitting said issuing user (Useri) to possess said generating group-point (G) 
and said converting mathematical operation (H) and the identification details 
(ID(i+i)) of said successor user; 

(5) permitting said issuing user (Useri) to possess an issuing user private key (xi), 
where, except for the case in which said issuing user is said Certifying Authority, 
said issuing user private key was provided to said issuing user at a preceding stage 
in the chained key-issuing process (in which Useri acted as a successor user in 
respect to an issuing User(i-i)); 

(6) permitting said issuing user (Useri) to calculate said successor user public 
value (U(i+i)) and said successor user private key (x(i+i)) wherein: 
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- a successor user random value (k(i+i)) is generated and said successor user 
public value (U(i+1)) is calculated by exponentiating said generating 
group-point to the power of said successor user random value (U(i+i) = 
k(i+i)*G); 

- a successor user representing value (H(ID(i+i),U(i+i))) is calculated by 
operating with said converting mathematical operation on said successor user 
identification details (ID(i+i)) and said successor user public value (U(i+i)); 

- said successor user private key (x(i+l)) is calculated by multiplying said 
successor user representing value (H(ID(i+i),U(i+i))) by said successor user 
random value (k(i+i)) and adding said issuing user private key (xi) to the 
product obtained by said multiplication (x(i+i) = H(ID(i+i),U(i+i))*k(i+i) + xi) 

and reducing the result modulo the order of said generating group-point; 

(7) permitting said issuing user (Useri) to submit said successor user public value 
(U(i+i)) and said successor user private key (x(i+i)) to said successor user 
(User(i+i)). 



According to a preferred embodiment of the invention there is provided a method where 
the issuing user (Useri) does not know the successor user private key (x(i+i)), further 
comprising the steps of: 

(i) permitting said successor user (User(i+i)) to generate a first random value 
(m(i+i)) and calculate a first intermediate group-point (m(i+i)*G) by 
exponentiating the generating group-point to the power of said first random value; 

(ii) permitting said successor user to submit said first intermediate group-point 
(m(i+i)*G) to said issuing user (Useri); 

(iii) permitting said issuing user to calculate a successor user public value (U(i+i)) 
and a successor user intermediate private key (p(i+i)), wherein: 
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- a second random value (k(i+i)) is generated and a second intermediate 
group-point (k(i+i)*G) is calculated by exponentiating said generating 

group-point to the power of said second random value; 

- said successor user public value (U(i+i>) is calculated by adding said first 
intermediate group-point and said second intermediate group-point (U(H-i)= 
m(i+i)*G + k(i+i)*G); 

- a successor user representing value (H(ID(i+i),U(i+i))) is calculated in the 
way described; 

- said successor user intermediate private key (p(i+i)) is calculated by 
multiplying said successor user representing value (H(ID(i+i),U(i+i))) by said 
second random value (k(i+i)) and adding the issuing user private key (xi) to 
the product obtained by said multiplication (p(i+i) = H(ID(i+i),U(i+i))*k(i+i) + 
xi) and reducing the result modulo the order of said generating group-point; 

(iv) permitting said successor user to generate the successor user private key 
(x(i+i)) by calculating said successor user representing value (H(ID(i+i),U(i+i))) in 
the way described and multiplying said successor user representing value by said 
first random value (m(B-i)) and adding said successor user intermediate private key 
(p(i+i)) to the product obtained by said multiplication (x(i+i) = 
H(ID(i+i),U(i+i))*m(i+i) + p(i+i)) and reducing the result modulo the order of said 

generating group-point. 

In another aspect the invention is directed to a certificate generation system for 
permitting a generating user who is a successor user (User(i+i)) according to the 
aforementioned method of the invention, to issue a certificate to a general user 
(User(i+2)) where said certificate attests to the association between said general user 
public key (Y(i+2)) and said general user identification details (ID(i+2)), where said 
general user public key was issued to said general user according to any known public 
key cryptographic method, the system comprising: 
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(1) means for permitting said generating user to generate a first random scalar 

(k(i+2)); 

(2) means for permitting said generating user to calculate a first part of a 
certificate (T(i+2)) by exponentiating the generating group-point to the power 
of said first random scalar (T(i+2) = k(i+2)*G); 

(3) means for permitting said generating user to calculate a general user 
representing value (H(ID(i+2),Y(i+2),T(i+2))) by operating with the converting 
mathematical operation on said general user identification details (ID(i+2)) and 
said general user public key (Y(i+2)) and said first part of a certificate (T(i+2)); 

(4) means for permitting said generating user to calculate a second part of a 
certificate (s(i+2)) by multiplying said general user representing value by said 
first random scalar (k(i+2)) and adding the private key (x(B-i)) of said 
generating user to the product obtained by said multiplication (s(i+2) = 
H(ID(i+2),Y(i+2),T(i+2))*k(i+2) + x(i+i)) and reducing the result modulo the order 

of said generating group-point; 

(5) means for permitting said generating user to submit said certificate to said 

general user, said certificate comprising of said first part of a certificate 
(T(i+2)) and said second part of a certificate (s(i+2)). 



According to a preferred embodiment of the invention there is provided a chained 
certificate verification system for permitting a verifying user to verify the authenticity of 
the certificate (T(i+2) and s(i+2)) issued to the general user (User(i+2)), as defined above, 
the system comprising: 

(1) means for providing said verifying user with said certificate and with the 
general user public key (Y(H-2)) and with the general user identification details 
(ID(i+2)) and with the Certifying Authority public value (Uo) and with a 
plurality of pairs of values (IDj and Uj) consisting of the identification details 
and public values of all users (Userj, j = 1, 2,..., i+1)) in the chained 



key-issuing process as defined in Claim 1, starting with the first successor 
user (Useri) after the Certifying Authority and ending with the generating user 
(User(H-i)) as hereinbefore defined; 

(2) means for permitting said verifying user to verify the validity of said 
certificate, wherein: 

- a first scalar (H(ID(i+2),Y(i+2),T(i+2))) is calculated by operating with the 

converting mathematical operation on said general user identification 
details (ID(i+2)) and said general user public key (Y(i+2)) and the first part 
of said certificate (T(i+2)); 

- a first intermediate group-point (H(ID(i+2),Y(i+2) 5 T(i+2))*T(i+2)) is calculated 
by exponentiating said first part of the certificate (T(i+2)) to the power of 
said first scalar; 

- users representing values (H(IDj,Uj), j = 1, 2,..., i+1) are calculated by 

operating with said converting mathematical operation on each pair of said 
plurality of pairs of values (IDj and Uj); 

- users temporary group-points (H(IDj,Uj)*Uj, j = 1, 2,..., i+1) are calculated 

for each user in said chained key-issuing process, starting with said first 
successor user (Useri) and ending with said generating user (User(H-i)), by 
exponentiating each said user public value (Uj) to the power of said user 
representing value (H(IDj,Uj)); 

- a second intermediate group-point (P) is calculated by adding all said 
users temporary group-points (P = H(ID(i+i),U(i+i))*U(i+i) + H(IDi,Ui)*Ui 

+ H(ID(i-i),U(i-i))*U(i-i) + ... +H(IDi,Ui)*Ui); 

- a third intermediate group-point (Q) is calculated by adding said first 
intermediate group-point and said second intermediate group-point and 
the public value of said Certifying Authority (Q = 
H(ID(i+2),Y(i+2),T(i+2))*T(i+2) + P + Uo); 
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- a fourth intermediate group-point (s(i+2)*G) is calculated by exponentiating 

the generating group-point to the power of the first part (s(i+2)) of said 
certificate; 

- the value of said fourth intermediate group-point (s(i+2)*G) is compared to 

that of said third intermediate group-point (Q) and the certificate is 
determined as being valid in the case of equality. 



In a further aspect the invention encompasses a chained signature generation and 
verification system for permitting a successor user (User(H-i)) according to the method 
of the invention, to generate a signature and permitting a verifying party to verify said 
signature, the system comprising: 

(1) means for permitting said successor user (User(i+i)) to generate a signature on 
a message (m) wherein: 

- a first scalar (k) is randomly generated; 

- a first part of a signature (T) is generated by exponentiating the generating 

group-point to the power of said first scalar (T = k*G); 

- a representing value (H(m,T)) is generated by operating with the converting 

mathematical operation on said message (m) and said first part of a 
signature (T); 

- a second part of a signature (s) is calculated by multiplying said representing 

value (H(m,T)) by said first scalar (k) and adding the private key of said 
successor user (x(i+i)) to the product obtained by said multiplication (s = 
H(m,T)*k + x(i+i)) and reducing the result modulo the order of said 

generating group-point; 

(2) means for permitting said successor user to submit said message (m) and said 
signature (T and s) to said verifying party, said signature comprising of said 
first part of a signature (T) and said second part of a signature (s); 
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(3) means for providing said verifying party with the Certifying Authority public 
value (Uo) and with a plurality of pairs of values (IDj and Uj) consisting of the 
identification details and public values (IDj and Uj) of all users (Userj, j = 1, 
2,. . i+1)) in the chained key-issuing process as hereinbefore defined, starting 
with the first successor user (Useri) after the Certifying Authority and ending 
with said successor user (User(i+i)); 

(4) means for permitting said verifying party to verify the validity of said 
signature (T and s) on said message (m), wherein: 

- said representing value (H(m,T)) is generated in the way described; 

- a first intermediate group-point (H(m,T)*T) is calculated by exponentiating 

said first part of the signature (T) to the power of said representing value; 

- users representing values (H(IDj,Uj), j = 1, 2,..., i+1) are calculated by 

operating with said converting mathematical operation on each pair of said 
plurality of pairs of values (IDj and Uj); 

- users temporary group-points (H(IDj,Uj)*Uj, j = 1, 2,..., i+1) are calculated 

for each user in said chained key-issuing process, starting with said first 
successor user (Useri) and ending with said successor user (User(i+i)), by 
exponentiating each said user public value (Uj) to the power of said user 
representing value (H(IDj,Uj)); 

- a second intermediate group-point (P) is calculated by adding all said 
temporary group-points (P = H(ID(i+i),U(i+i))*U(i+i) + H(IDi,Ui)*Ui + 
H(ID(i-i),U(i-i))*U(i-i) + ... + H(IDi,Ui)*Ui); 

- a third intermediate group-point (Q) is calculated by adding said first 
intermediate group-point and said second intermediate group-point and 
the public value of said Certifying Authority (Q = H(m,T)*T + P + Uo); 
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- a fourth intermediate group-point (s*G) is calculated by exponentiating the 

generating group-point to the power of the first part (s) of said signature; 

- the value of said fourth intermediate group-point (s*G) is compared to 

that of said third intermediate group-point (Q) and the signature is 
determined as being valid in the case of equality. 

DETAILED DESCRIPTION OF PREFERRED EMBODIMENTS 

All the above and other characteristics and advantages of the invention, though clear to 
the skilled person, will be better understood through the following illustrative and 
non-limitative description of preferred embodiments thereof 

The implementations rely on a finite group of points over which the discrete logarithm 
problem applies. 

The following notations and terms are used throughout the description of the 
various embodiments of this invention: 

The term "group-point" refers to an element of a finite group of points in which the 
discrete logarithm problem applies. 

A group-point is denoted in bold. 

s*P is a group-point obtained by exponentiating the group-point P to the power s. 

A 'scalar' is a value which acts as an exponent. It is denoted by lower-case letters. 

The '+' notation in the expression s*P + t*Q means an addition of two group-points 
under the specific features of said finite group of points. 

G denotes a generating group-point, joint to all users of a given system. 
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LogP is the scalar k such that P = k*G. Note that log(A+B) = LogA + LogB. 



Scalars are calculated modulo the order of G. 
CA - The Certifying Authority. 

Useri the i-th user in a certification chain (in which the CA is Usero). 
xi - the private key of Useri. 

Ui - the public value of Useri. Useri, except for Usero (which is the CA), does not know 
logUi. 

H(c,B,D), H(c,B), H(B) - a mathematical operation, known to the CA and to all users, 
that converts a scalar and two group-points, or a scalar and a group-point, or a 
group-point, into a scalar. For the case of operating over elliptic-curves, a preferred 
implementation of the operation H(B) is taking the value of the x-coordinate of the 
group-point B. 

A preferred first embodiment of this invention concerns a chained key-issuing method 
wherein a user, termed Useri, provides personal keys to another user, termed User(i+i), 
and where the Certifying Authority, termed CA, acts as Usero. Said personal keys, 
which consist of a private key x(i+i) and a public value U(i+i) and which are distinct for 
each user, are provided for the purpose of effecting public key cryptographic operations 
over a finite group of points in which the discrete logarithm problem applies. 
The identification details of said User(i+i) are termed ID(i+i). The private key of said 
Useri is a scalar xi. 

Useri performs the following operations: 
generate a random k(i+i); 

calculate U(i+i) = k(i+i)*G, for a generating group-point G, joint to all users; 

calculate x(i+i) = H(ID(i+i),U(i+i))*k(i+i) + xi 

where H(c,B) is a compressing mathematical operation, known to the CA and to all 
users, that converts the group-point B and a scalar c into a scalar. 
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x(i+i), like other scalars calculated in the processes included in this invention, is 
calculated modulo the order of said generating group-point G, as will be clear to 
persons skilled in the art. 

Said Useri issues said values x(i+i) and U(i+i) to said User(i+i). These two values serve, 
respectively, as the user's private value and the user's public value. In this case, the 
private key x(i+i) of User(i+i) is known to Useri. 

Said User(i+i) is also provided with the public value Uo of the CA and the identification 
details IDj and public values Uj, for j = 1, 2, i. (That is, said User(i+i) is provided 
with the identification details and public values of all users that preceded him in the 
certification chain.) 

Said User(i+i) can establish the validity of said values x(i+i) and U(i+i) issued to him by 
said Useri by checking whether x(i+i)*G = H(ID(i+i),U(i+i))*U(i+i) + H(IDi,Ui)*Ui + 

H(ID(i-i),U(H))*U(H)+ ... +H(IDi,Ui)*Ui + Uo. 

A preferred second embodiment of this invention concerns a method, which is an 
alternative to the method according to said preferred first embodiment of this invention, 
by which Useri provides personal keys to User(i+i). 

According to said preferred second embodiment of this invention, and using the same 
notations used in said preferred first embodiment of this invention, said User(i+i) 
generates a random m(i+i) and submits m(i+i)*G to said Useri. Said Useri performs the 

following operations: 

generate a random k(i+ i ); 

calculate k(i+i)*G and U(i+i) = m(i+i)*G + k(i+i)*G; 
calculate p(i+i) = H(ID(i+i),U(i+i))*k(i+i) + xi 

Said Useri issues said values p(i+i) and U(i+i) to said User(i+i). 

Said User(i+i) generates his private key x(i+i) = p(i+i) + H(ID(i+i),U(i+i))*m(i+i). 



11002/00 

-13- 

That is: x(i+i) - H(ID(i+i),U(i+i))*(k(i+i)+m(i+i)) + xi. 



Said User(i+i) can establish the validity of the values p(i+i) and U(i+i) issued to him by 
said Useri checking whether 

p(i+i)*G = H(ID(i+i),U(i+i))*(k(i+i)*G) + H(TDi,Ui)*Ui + H(ID(i-i),U(i-i))*U(i-i) + ... + 
H(IDi,Ui)*Ui + Uo. 

(User(i+i) calculates k(i+i)*G by subtracting m(i+i)*G from U(i+i).) 

The method according to said preferred second embodiment of this invention does not 
allow said Useri to know the private key x(i+i) of said User(H-i), unlike the method 
according to said preferred first embodiment of this invention. 



A preferred third embodiment of this invention concerns a certificate generation system 
wherein User(i+i) according to said preferred first or second embodiments of this 
invention certifies the association between the public key Y(i+2) and the identification 
details ID(i+2) of a user termed User(i+2). Said public key Y(i+2) can serve in any general 
public key cryptographic method, and it is not necessarily issued by said User(i+i) or 
effected by said certificate generation system. 

Said User(i+i) generates a random k(i+2) and the certificate, which consists of the pair of 
values {T(i+2),s(i+2)}, where T(i+2) = k(i+2)*G and s(i+2) = H(ID(i+2),Y(i+2),T(i+2))*k(i+2) + 

x(i+l). 

A preferred fourth embodiment of this invention concerns a chained certificate 
verification system wherein a general user verifies the association between the public 
key Y(i+2) and the identification details ID(i+2) of the user User(i+2) defined in the 
preferred third embodiment of this invention. 

To effect said chained certificate verification, said general user is provided with said 
values ID(i+i) and Y(i+i), the certificate, which consists of the pair of values 
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(s(i+2),T(i+2)} , the public value Uo of the CA, and the reference information EDj and Uj, j 
= 1 , 2,. . i+1 . Said general user then checks whether 

s(i+2)*G = H(ID(i+2),Y(i+2),T(i+2))*T(i+2) + H(ID(i+i),U(i+i))*U(i+i) + H(IDi,Ui)*Ui + 
H(ID(i-i),U(i-i))*U(i-i) + ... + H(IDi,Ui)*Ui + Uo. 



A preferred fifth embodiment of this invention concerns a chained signature generation 
and verification system wherein User(i+i) according to said preferred first or second 
embodiments of this invention signs a message m. Said User(i+i) signs said message m 
by generating the signature which consists of the pair of values {T,s}, where T =? k*G 
for a random k, and s = H(m,T)*k + x(i+i). 

A general user, provided with said signature {T,s}, effects a chained signature 
verification based on the public value Uo of the CA and the reference information IDj 
and Uj , j = 1 , 2, . . . , i+ 1 . Said general user checks whether 

s*G - H(m,T)*T + H(ID(i+i),U(i+i))*U(i+i) + H(IDi,Ui)*Ui + H(ID(i-i),U(i-i))*U(i-i) + 
...+H(IDi,Ui)*Ui + Uo. 



A preferred sixth embodiment of this invention concerns an alternative to any of said 
first to fifth preferred embodiments of this invention, in which the identification details 
of a user are not being used. 

According to said preferred sixth embodiment of this invention, any notation of the 
form H(IDi,Ui)*Ui or H(IDi,Yi,Ti), used in any of said first to fifth preferred 
embodiments of this invention, is respectively replaced by H(Ui)*Ui or H(Yi,Ti). 



All the above description of preferred embodiments has been provided for the purpose 
of illustration, and is not intended to limit the invention in any way. Many variations 



11002/00 

-15- 

can be made in the various methods and systems of the invention, without exceeding its 
scope. 
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CLAIMS 

1 . A method for effecting a chained key-issuing process over a finite group of points in 
which the discrete logarithm problem applies, wherein an issuing user (Useri), who 
possesses an issuing user public value (Ui) and an issuing user private key (xi), 
provides to a successor user (User(i+i)) a successor user public value (U(i+i)) and a 
successor user private key (x(i+i)), and where said issuing user, except for the Certifying 
Authority (CA), was himself a successor user in a preceding step in the chained 
key-issuing process, and where said Certifying Authority acts as the first issuing user in 
the chained key-issuing process, comprising the steps of: 

(1) permitting said Certifying Authority to select a generating group-point (G) 
whose exponentiations to various powers generate various group-points and a 
converting mathematical operation (H) which converts several input values into a 
scalar; 

(2) permitting said Certifying Authority to posses a Certifying Authority private 
key (xo); 

(3) permitting said Certifying Authority to posses a Certifying Authority public 
value (Uo), obtained by exponentiating said generating group-point to the power 
of said Certifying Authority private key (Uo = xo*G); 

(4) permitting said issuing user (Useri) to possess said generating group-point (G) 
and said converting mathematical operation (H) and the identification details 
(ED(i+i)) of said successor user; 

(5) permitting said issuing user (Useri) to possess an issuing user private key (xi), 
where, except for the case in which said issuing user is said Certifying Authority, 
said issuing user private key was provided to said issuing user at a preceding stage 
in the chained key-issuing process (in which Useri acted as a successor user in 
respect to an issuing User(i-i)); 

(6) permitting said issuing user (Useri) to calculate said successor user public 
value (U(i+i)) and said successor user private key (x(i+i)) wherein: 
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- a successor user random value (k(i+i)) is generated and said successor user 
public value (U(i+i)) is calculated by exponentiating said generating 
group-point to the power of said successor user random value (U(H-i) = 
k(i+i)*G); 

- a successor user representing value (H(ED(i+i),U(i+i))) is calculated by 
operating with said converting mathematical operation on said successor user 
identification details (ID(i+i)) and said successor user public value (U(i+i)); 

- said successor user private key (x(i+i)) is calculated by multiplying said 
successor user representing value (H(ED(i+i),U(i+i))) by said successor user 
random value (k(i+i)) and adding said issuing user private key (xi) to the 
product obtained by said multiplication (x(i+i) = H(ID(i+i),U(i+i))*k(i+i) + xi) 
and reducing the result modulo the order of said generating group-point; 

(7) permitting said issuing user (Useri) to submit said successor user public value 
(U(i+i)) and said successor user private key (x(i+i>) to said successor user 
(User(i+i)). 



2. A method for effecting a chained key-issuing process according to the method of 
Claim 1, where the issuing user (Useri) does not know the successor user private key 
(x(i+i)) 5 further comprising the steps of: 

(i) permitting said successor user (User(i+i)) to generate a first random value 
(m(i+i)) and calculate a first intermediate group-point (m(i+i)*G) by 
exponentiating the generating group-point to the power of said first random value; 

(ii) permitting said successor user to submit said first intermediate group-point 
(m(i+i)*G) to said issuing user (Useri); 



(iii) permitting said issuing user to calculate a successor user public value (U(i+i)) 
and a successor user intermediate private key (p(i+i)), wherein: 
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- a second random value (k(i+i)) is generated and a second intermediate 
group-point (k(i+i)*G) is calculated by exponentiating said generating 

group-point to the power of said second random value; 

- said successor user public value (U(i+i)) is calculated by adding said first 
intermediate group-point and said second intermediate group-point (U(i+i)= 
m(i+i)*G + k(i+i)*G); 

- a successor user representing value (H(ID(i+i),U(i+i))) is calculated in the 
way described; 

- said successor user intermediate private key (p(i+i)) is calculated by 
multiplying said successor user representing value (H(ED(i+i) s U(i+i))) by said 
second random value (k(i+i)) and adding the issuing user private key (xi) to 
the product obtained by said multiplication (p(i+i) = H(ID(i+i),U(i+i))*k(i+i) + 

xi) and reducing the result modulo the order of said generating group-point; 

(iv) permitting said successor user to generate the successor user private key 
(x(i+i)) by calculating said successor user representing value (H(ED(i+i),U(i+i))) in 
the way described and multiplying said successor user representing value by said 
first random value (m(i+i)) and adding said successor user intermediate private key 
(p(i+i)) to the product obtained by said multiplication (x(i+i) = 
H(ID(i+i),U(i+i))*m(i+i) + p(i+i)) and reducing the result modulo the order of said 

generating group-point. 



3. A certificate generation system for permitting a generating user who is a successor 
user (User(i+i)) according to the method of Claim 1, to issue a certificate to a general 
user (User(i+2)) where said certificate attests to the association between said general user 
public key (Y(i+2)) and said general user identification details (ID(i+2)), where said 
general user public key was issued to said general user according to any known public 
key cryptographic method, the system comprising: 



11002/00 

-19- 

(1) means for permitting said generating user to generate a first random scalar 

(k(i+2)); 

(2) means for permitting said generating user to calculate a first part of a 
certificate (T(i+2)) by exponentiating the generating group-point to the power 
of said first random scalar (T(i+2) = k(i+2)*G); 

(3) means for permitting said generating user to calculate a general user 
representing value (H(ED(i+2),Y(i+2),T(i+2))) by operating with the converting 
mathematical operation on said general user identification details (ED(i+2)) and 
said general user public key (Y(i+2)) and said first part of a certificate (T(i+2)); 

(4) means for permitting said generating user to calculate a second part of a 
certificate (s(i+2)) by multiplying said general user representing value by said 
first random scalar (k(i+2)) and adding the private key (x(i+i)) of said 
generating user to the product obtained by said multiplication (s(i+2) = 
H(ID(i+2),Y(i+2),T(i+2))*k(i+2) + x(i+i)) and reducing the result modulo the order 

of said generating group-point; 

(5) means for permitting said generating user to submit said certificate to said 
general user, said certificate comprising of said first part of a certificate 
(T(i+2)) and said second part of a certificate (s(i+2)). 



4. A chained certificate verification system for permitting a verifying user to verify the 
authenticity of the certificate (T(i+2) and s(i+2)) issued to the general user (User(i+2)) as 
defined in Claim 3, the system comprising: 

(4) means for providing said verifying user with said certificate and with the 
general user public key (Y(i+2)) and with the general user identification details 
(ID(i+2)) and with the Certifying Authority public value (Uo) and with a 
plurality of pairs of values (DDj and Uj) consisting of the identification details 
and public values of all users (Userj, j = 1, 2,..., i+1)) in the chained 
key-issuing process as defined in Claim 1, starting with the first successor 
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user (Useri) after the Certifying Authority and ending with the generating user 
(User(i+i)) as defined in Claim 3; 

(2) means for permitting said verifying user to verify the validity of said 
certificate, wherein: 

- a first scalar (H(ID(i+2),Y(i+2),T(i+2))) is calculated by operating with the 

converting mathematical operation on said general user identification 
details (ID(i+2)) and said general user public key (Y(i+2)) and the first part 
of said certificate (T(h-2)); 

- a first intermediate group-point (H(rD(i+2),Y(i+2),T(i+2))*T(i+2)) is calculated 

by exponentiating said first part of the certificate (T(i+2)) to the power of 
said first scalar; 

- users representing values (H(IDj,Uj), j = 1, 2,..., i+1) are calculated by 

operating with said converting mathematical operation on each pair of said 
plurality of pairs of values (EDj and Uj); 

- users temporary group-points (H(IDj,Uj)*Uj, j = 1, 2,..., i+1) are calculated 

for each user in said chained key-issuing process, starting with said first 
successor user (Useri) and ending with said generating user (User(i+i)), by 
exponentiating each said user public value (Uj) to the power of said user 
representing value (H(IDj,Uj)); 

- a second intermediate group-point (P) is calculated by adding all said 
users temporary group-points (P = H(ID(i+i),U(i+i))*U(i+i) + H(TDi 5 Ui)*Ui 

+ H(ID(i.i),U(i-i))*U(i-i) + ... + H(EDi,Ui)*Ui); 

- a third intermediate group-point (Q) is calculated by adding said first 
intermediate group-point and said second intermediate group-point and 
the public value of said Certifying Authority (Q = 
H(DD(i+2),Y(i+2),T(i+2))*T(i+2) + P + Uo); 
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- a fourth intermediate group-point (s(i+2)*G) is calculated by exponentiating 

the generating group-point to the power of the first part (s(i+2)) of said 
certificate; 

- the value of said fourth intermediate group-point (s(i+2)*G) is compared to 

that of said third intermediate group-point (Q) and the certificate is 
determined as being valid in the case of equality. 

5. A chained signature generation and verification system for permitting a successor 
user (User(i+i)) according to the method of Claim 1, to generate a signature and 
permitting a verifying party to verify said signature, the system comprising: 

(1) means for permitting said successor user (User(i+i>) to generate a signature on 
a message (m) wherein: 

- a first scalar (k) is randomly generated; 

- a first part of a signature (T) is generated by exponentiating the generating 

group-point to the power of said first scalar (T = k*G); 

- a representing value (H(m,T)) is generated by operating with the converting 

mathematical operation on said message, (m) and said first part of a 
signature (T); 

- a second part of a signature (s) is calculated by multiplying said representing 

value (H(m,T)) by said first scalar (k) and adding the private key of said 
successor user (x(i+i)) to the product obtained by said multiplication (s = 
H(m,T)*k + x(i+i)) and reducing the result modulo the order of said 

generating group-point; 

(5) means for permitting said successor user to submit said message (m) and said 
signature (T and s) to said verifying party, said signature comprising of said 
first part of a signature (T) and said second part of a signature (s); 
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(6) means for providing said verifying party with the Certifying Authority public 
value (Uo) and with a plurality of pairs of values (IDj and Uj) consisting of the 
identification details and public values (IDj and Uj) of all users (Userj, j = 1, 
2,..., i+1)) in the chained key-issuing process as defined in Claim 1, starting 
with the first successor user (Useri) after the Certifying Authority and ending 
with said successor user (User(i+i)); 

(4) means for permitting said verifying party to verify the validity of said 
signature (T and s) on said message (m), wherein: 

- said representing value (H(m,T)) is generated in the way described; 

- a first intermediate group-point (H(m,T)*T) is calculated by exponentiating 

said first part of the signature (T) to the power of said representing value; 

- users representing values (H(IDj,UjX j = 1, 2,..., i+1) are calculated by 

operating with said converting mathematical operation on each pair of said 
plurality of pairs of values (IDj and Uj); 

- users temporary group-points (H(IDj,Uj)*Uj, j = 1, 2,... , i+1) are calculated 

for each user in said chained key-issuing process, starting with said first 
successor user (Useri) and ending with said successor user (User(i+i)), by 
exponentiating each said user public value (Uj) to the power of said user 
representing value (H(EDj,Uj)); 

- a second intermediate group-point (P) is calculated by adding all said 
temporary group-points (P = H(ID(i+i),U(i+i))*U(i+i) + H(IDi,Ui)*Ui + 
H(ID(i-i)/U(i-i))*U(i-i) + ... + H(IDi,Ui)*Ui); 

- a third intermediate group-point (Q) is calculated by adding said first 
intermediate group-point and said second intermediate group-point and 
the public value of said Certifying Authority (Q = H(m,T)*T + P + Uo); 
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- a fourth intermediate group-point (s*G) is calculated by exponentiating the 

generating group-point to the power of the first part (s) of said signature; 

- the value of said fourth intermediate group-point (s*G) is compared to 

that of said third intermediate group-point (Q) and the signature is 
determined as being valid in the case of equality. 

6. A certificate generation system according to Claim 3, wherein the successor user 
(User(i+i)) is defined according to Claim 2. 

7. A chained certificate verification system according to Claim 4, wherein the chained 
key-issuing process is defined according to Claim 2. 

8. A chained signature generation and verification system according to Claim 5, wherein 
the successor user (User(i+i)) is defined according to Claim 2. 

9. A method for effecting a chained key-issuing process, essentially as described and 
illustrated. 

10. A certificate generation system, essentially as described and illustrated. 

1 1. A chained certificate verification system, essentially as described and illustrated. 

12. A chained signature generation and verification system, essentially as described and 
illustrated. 
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